@usmannk @CurveFinance Checking reentrancy using "claim_admin_fees" is a common practice as recommended by @chain_security "withdraw_admin_fees" does the same but in this case, it didn't have a reentrancy lock. There are many types of Curve pools, some use claim, some use withdraw. Tweet added by Marco Croc @malicator

Marco Croc

2 months

@usmannk @CurveFinance Checking reentrancy using "claim_admin_fees" is a common practice as recommended by @chain_security "withdraw_admin_fees" does the same but in this case, it didn't have a reentrancy lock. There are many types of Curve pools, some use claim, some use withdraw.

1

0

2

Marco Croc

@malicator

2 months

🐞I reported a vulnerability in @CurveFinance and I am thrilled to share that I've been awarded a bug bounty of $250,000. 🧵

42

68

1K

usmann

@usmannk

2 months

@malicator @CurveFinance Interesting, what happened to “claim_admin_fees”? I once recommended someone use it to check curve’s reentrancy context *specifically because* it has a reentrancy lock.

1

0

usmann

@usmannk

2 months

@malicator @CurveFinance @chain_security I figured that was the case. The variety of curve pools is kind of ridiculous. Is there even a central record of all the different flavors?

1

0

Marco Croc

@malicator

2 months

@usmannk @CurveFinance @chain_security Curve team has it internally as I saw they quickly applied emergency patches to all affected pools. Haven't found public DB though. I can browse various types of pools in Curve UI.

1

0

1

Replies